grucker Posted February 13, 2014 Share Posted February 13, 2014 On many pages I have the code session_start();if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){header("Location: /index.php");}This allows a logged on viewer to see the many pages. Trouble is I now would like another person to log in to view just one page. Imagine the if should have an elseif but I struggle to get it to work. Any help please Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 13, 2014 Share Posted February 13, 2014 That's a pretty archaic way of handling users. Ideally, you'd have a User table in a database that contains their login name and a hashed version (never, ever, EVER the plaintext version) of their password. When they log into the system, you'd check the data they entered against the data that's in the database. If it matches, you then set a flag (it could be something as simple as $_SESSION['loggedIn'] = true;) that you pass from page to page. If you need to limit what logged in users can see based on their access level, simply add that info to the database and pass that around as well (something like $_SESSION['accessLevel'] = 'admin';). Then you can simply check if they're logged in and if they're at the proper access level to view the page. Quote Link to comment Share on other sites More sharing options...
grucker Posted February 13, 2014 Author Share Posted February 13, 2014 That's a pretty archaic way of handling users. Ideally, you'd have a User table in a database that contains their login name and a hashed version (never, ever, EVER the plaintext version) of their password. When they log into the system, you'd check the data they entered against the data that's in the database. If it matches, you then set a flag (it could be something as simple as $_SESSION['loggedIn'] = true;) that you pass from page to page. If you need to limit what logged in users can see based on their access level, simply add that info to the database and pass that around as well (something like $_SESSION['accessLevel'] = 'admin';). Then you can simply check if they're logged in and if they're at the proper access level to view the page. You are perfectly correct. There is no database and the information to be viewed is not earth shattering, just test reports from boring electrical equipment. At the mo I send different users to different pages and the one who is just supposed to see one would have to know the names of the other pages to see more. I just wondered If it was possible. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 13, 2014 Share Posted February 13, 2014 You should probably describe your current setup and problem in more detail, because I'm not sure what "the names of the other pages" is supposed to mean. Quote Link to comment Share on other sites More sharing options...
grucker Posted February 13, 2014 Author Share Posted February 13, 2014 (edited) I know what I mean I just find it difficult to explain without breaking the rules.session_start();if($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){$_SESSION['usr'] = "AINSCOUGH";$_SESSION['pswd'] = "******";header("Location: ../accounts/AINSCOUGH/location.php");}elseif($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){$_SESSION['usr'] = "AINSCOUGH";$_SESSION['pswd'] = "******";header("Location:../accounts/AINSCOUGH/SiteName/Teesside/showfolders.php");}Are the 2 users. I can make either the only one able to see the page by changing $_SESSION['pswd']to eg. twit and thenon the pagesession_start();if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){header("Location: /index.php");}Change pswd to twit which allows, only the one allowed to see one page.I just wanted both to see this page and leave the original code on the other pages to only allow pass word ***** to see the pages. Is that more explanatory? Edited February 13, 2014 by KevinM1 Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 13, 2014 Share Posted February 13, 2014 Okay, first, some tips:1. NEVER post sensitive info on a public forum like this one. I took the liberty of editing out the passwords in your post above, but, yeah, not smart.2. Why are you passing a user's name and password through sessions? All you need to know is the user, right? Each user should have their own account. Successful login should set a flag that says "I'm logged in as Bob," or "I'm logged in as Suzie." Passing their passwords around, especially in a non-hashed plaintext (meaning, exactly what they enter into the system) is both unnecessary and dangerous from a security standpoint. You might think, "Well, this is a small site... who would ever see it?" But, small sites are perfect targets for bad guys because they tend to have bad security. And since most people still use the same password for everything in their lives, a security hole on your site could eventually mean someone having their identity stolen.3. Why are you checking for a certain usr/pswd combo only to reassign it with the same exact data immediately afterward? The: $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "*****"; Portions are completely unnecessary. ---From what I can see, you've written yourself into a corner. Your current system is inflexible. Yeah, you could hack at it, with a bunch of if/else conditionals to make it 'work' (and you could), but that wouldn't really be addressing the underlying problem.I suggest that you rebuild it so it's flexible and secure. Look at my first reply: that tells you the general approach you should take. If you need any help on any particular part of it, we'll be here. And while that's likely not what you wanted to hear, it's really the best way to go for you and your employer. I simply can't, as a web professional, give you a way to proceed with your current code in good conscience. Quote Link to comment Share on other sites More sharing options...
davidannis Posted February 13, 2014 Share Posted February 13, 2014 How about something like this: session_start(); if($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){ $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "******"; $_SESSION['type']="this"; header("Location: ../accounts/AINSCOUGH/location.php"); } elseif($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){ $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "******"; $_SESSION['type']="that"; header("Location:../accounts/AINSCOUGH/SiteName/Teesside/showfolders.php"); } Then on pages you want anyone to see: session_start(); if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){ header("Location: /index.php"); } but on those you want to restrict only to users of type "this" (or "that") session_start(); if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'] || $_SESSION['type']!="this")){// change this to that if you want to require users of type that header("Location: /index.php"); } Quote Link to comment Share on other sites More sharing options...
grucker Posted February 14, 2014 Author Share Posted February 14, 2014 Okay, first, some tips: 1. NEVER post sensitive info on a public forum like this one. I took the liberty of editing out the passwords in your post above, but, yeah, not smart. 2. Why are you passing a user's name and password through sessions? All you need to know is the user, right? Each user should have their own account. Successful login should set a flag that says "I'm logged in as Bob," or "I'm logged in as Suzie." Passing their passwords around, especially in a non-hashed plaintext (meaning, exactly what they enter into the system) is both unnecessary and dangerous from a security standpoint. You might think, "Well, this is a small site... who would ever see it?" But, small sites are perfect targets for bad guys because they tend to have bad security. And since most people still use the same password for everything in their lives, a security hole on your site could eventually mean someone having their identity stolen. 3. Why are you checking for a certain usr/pswd combo only to reassign it with the same exact data immediately afterward? The: $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "*****"; Portions are completely unnecessary. --- From what I can see, you've written yourself into a corner. Your current system is inflexible. Yeah, you could hack at it, with a bunch of if/else conditionals to make it 'work' (and you could), but that wouldn't really be addressing the underlying problem. I suggest that you rebuild it so it's flexible and secure. Look at my first reply: that tells you the general approach you should take. If you need any help on any particular part of it, we'll be here. And while that's likely not what you wanted to hear, it's really the best way to go for you and your employer. I simply can't, as a web professional, give you a way to proceed with your current code in good Once again I agree with you. If I was updating these files I would follow your instruction. Unfortunately these accounts and files are updated by non it office staff. This method was the easiest method for them all to understand. I have taken your advice and removed $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "*****"; Thanks for your help Quote Link to comment Share on other sites More sharing options...
grucker Posted February 14, 2014 Author Share Posted February 14, 2014 How about something like this: session_start(); if($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){ $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "******"; $_SESSION['type']="this"; header("Location: ../accounts/AINSCOUGH/location.php"); } elseif($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){ $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "******"; $_SESSION['type']="that"; header("Location:../accounts/AINSCOUGH/SiteName/Teesside/showfolders.php"); } Then on pages you want anyone to see: session_start(); if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){ header("Location: /index.php"); } but on those you want to restrict only to users of type "this" (or "that") session_start(); if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'] || $_SESSION['type']!="this")){// change this to that if you want to require users of type that header("Location: /index.php"); } I have tried this code. It appears to be almost what I require. Two things, I had to change if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'] || $_SESSION['type']!="this")){ header("Location: /index.php"); } To if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || $_SESSION['type']!="this"){ header("Location: /index.php"); } I only point this out for anyone else who may try it. Secondly, the code for multi viewrs is fine but I really need a code so only "this" and "that" can see the page and not "other" Thanks ever so much for your help Quote Link to comment Share on other sites More sharing options...
grucker Posted February 14, 2014 Author Share Posted February 14, 2014 (edited) I wrote this session_start();if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || $_SESSION['type']!="this")if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || $_SESSION['type']!="that"){header("Location: /index.php");}It seems to work and only allows the 2 users to view the page. Is the code written correctly? If so I can mark it solved Edited February 14, 2014 by grucker Quote Link to comment Share on other sites More sharing options...
davidannis Posted February 14, 2014 Share Posted February 14, 2014 Sorry about the misplaced ) Quote Link to comment Share on other sites More sharing options...
Solution Ch0cu3r Posted February 14, 2014 Solution Share Posted February 14, 2014 Your if statement could be rewritten as if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || ($_SESSION['type']!="this" || $_SESSION['type']!="that")) { header("Location: /index.php"); } // Or as $allowedTypes = array('this', 'that'); if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || !in_array($_SESSION['type'], $allowedTypes)) { header("Location: /index.php"); } Quote Link to comment Share on other sites More sharing options...
grucker Posted February 15, 2014 Author Share Posted February 15, 2014 Your if statement could be rewritten as if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || ($_SESSION['type']!="this" || $_SESSION['type']!="that")) { header("Location: /index.php"); } // Or as $allowedTypes = array('this', 'that'); if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || !in_array($_SESSION['type'], $allowedTypes)) { header("Location: /index.php"); } Thefirst didn't work but the array did, Thanks. Regarding earlier post. $_SESSION['usr'] = "AINSCOUGH"; $_SESSION['pswd'] = "*****"; I had to readd this didnt work without it on the linux server Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.